●設定
[root@ora12ee01 chroot]# cd /var/named/
[root@ora12ee01 named]# dnssec-keygen -r /dev/random -a RSASHA256 -b 1024 -n zone oradomain
Generating key pair..++++++ ...........................................++++++
Koradomain.+008+18606
[root@ora12ee01 named]# ll
合計 32
-rw-r--r-- 1 root root 427 1月 20 17:17 Koradomain.+008+18606.key
-rw------- 1 root root 1012 1月 20 17:17 Koradomain.+008+18606.private
[root@ora12ee01 named]# dnssec-keygen -r /dev/random -f KSK -a RSASHA256 -b 2048 -n zone oradomain
Generating key pair...........................................................................................................................+++ ............................................................................................+++
Koradomain.+008+05116
[root@ora12ee01 named]# ll
合計 40
-rw-r--r-- 1 root root 600 1月 20 17:23 Koradomain.+008+05116.key
-rw------- 1 root root 1776 1月 20 17:23 Koradomain.+008+05116.private
[root@ora12ee01 named]# vi oradomain.zone
[root@ora12ee01 named]# cat oradomain.zone
$ORIGIN oradomain.
$TTL 86400
$INCLUDE "Koradomain.+008+05116.key"
$INCLUDE "Koradomain.+008+18606.key"
@ IN SOA ns.oradomain. root.oradomain. (
2003031401 ; Serial
[root@ora12ee01 named]# dnssec-signzone -o oradomain oradomain.zone
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
oradomain.zone.signed
[root@ora12ee01 named]# ll
-rw-r--r-- 1 root root 443 1月 20 17:26 oradomain.zone
-rw-r--r-- 1 root root 5076 1月 20 17:27 oradomain.zone.signed
[root@ora12ee01 named]# cp -p /etc/named.conf /etc/named.conf.bk
[root@ora12ee01 named]# vi /etc/named.conf
[root@ora12ee01 named]# diff /etc/named.conf.bk /etc/named.conf
63c63
< file "oradomain.zone";
---
> file "oradomain.zone.signed";
[root@ora12ee01 named]# systemctl restart named-chroot.service
●2号機でテスト
[root@ora12ee02 ~]# dig www.oradomain
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> www.oradomain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4631
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.oradomain. IN A
;; ANSWER SECTION:
www.oradomain. 86400 IN A 192.168.100.112
;; AUTHORITY SECTION:
oradomain. 86400 IN NS ns.oradomain.
;; ADDITIONAL SECTION:
ns.oradomain. 86400 IN A 192.168.100.111
;; Query time: 0 msec
;; SERVER: 192.168.100.111#53(192.168.100.111)
;; WHEN: 日 1月 20 17:35:43 JST 2019
;; MSG SIZE rcvd: 91